Wireshark-users: Re: [Wireshark-users] Display filter

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Irakli Natshvlishvili" <iraklin@xxxxxxxxx>
Date: Thu, 3 May 2007 11:39:38 -0800
Sake,

I modified the filter, "Via.*\x0d\x0aVia.*" does work for the capture I've posted.

But, will it work in case if 'Via' headers ARE NOT next to each other?

I mean, if a message looks like this:

To: <sip:[email protected]>;tag=51d14022
From: 9094354499< sip:[email protected]>;tag=4c3d535f
Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0
Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2
Via: SIP/2.0/UDP 10.10.10.100;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1
Contact: <sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10 >
Via: SIP/2.0/UDP 10.10.10.50:5065;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543-
CSeq: 342974572 INVITE
User-Agent: Tele2100

Will the above filter still work? Unfortunately I do not have message like this to test in Wireshark.

So, in essence my goal if following:

find a stingA in the packet followed by stringB, when between stringA and stringB there could be 0 or more CRLF.

Which in plan English means that stringA and stringB could be in the same line (before CRLF), could be in in different lines.

Anyone can help? I'm not a regex guru.

--i.n.

On 5/2/07, Sake Blok <sake@xxxxxxxxxx> wrote:
On Wed, May 02, 2007 at 10:05:47PM -0800, Irakli Natshvlishvili wrote:
> I've just tried. Does not work.

Can you poste a small capture file with a few packets that you would like
to match against?

Cheers,


Sake


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



--
I.N.